Ireland tipped to be at centre of legal battleground over new EU privacy laws
IRISH courts will have a central role to play when it comes to costly international disputes over privacy law after a stringent new European data-protection directive becomes effective in May next year.
Emerald de Leeuw, an Irish expert on data protection law, said the EU’s incoming General Data Protection Regulation (GDPR) is the biggest change in data protection ever to occur in Ireland.
The directive, which attempts to strengthen and unify data protection laws across member states, has huge significance for Ireland because of the country’s growth as a European data centre hub. Ireland hosts data centres for Google, Microsoft, Amazon and Apple.
GDPR is the most significant overhaul of European data-protection regulations in more than 20 years. It enforces rights for EU citizens wherever in the world they are.
Under data protection laws, acquiring consent is the quick way to comply with data protection laws. But GDPR tightens this regime.
It will introduce a much higher standard for consent data controllers need in order to legally handle others’ data. Businesses and organisations are going to need “clear and more granular opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent” or they will be found in breach of the regulation.
In the most extreme cases of breaches of the regulation, organisations can be fined €20m or up to 4pc of the total worldwide annual turnover of the preceding financial year, whichever is higher.
“You will find that all the disputes around GDPR will be fought out in Ireland due to the fact that all the multinationals are based here,” said De Leeuw, chief executive of EuroComply, an Irish software company that helps firms manage GDPR compliance.
“The European Commission had seen that the directive from 1995 was not really adequate to deal with the world that we currently live in, with Big Data and basically data being the new currency for businesses and consumers alike. They found there needed to be a big regulatory overhaul,” she said.
De Leeuw said Ireland’s role in the future of GDPR presents a number of challenges, especially around balancing potential conflicts between being a pro-business country and protecting EU citizens’ privacy rights. “Ireland is very pro-business. But there could be more enforcement. It’s a real challenge for Ireland to make sure that companies are respecting data protection law, while at the same time still making it attractive for them to stay here. So that is a tricky balance.”
On the issue of acquiring consent by users, De Leeuw said: “We are in a dangerous situation, where companies are relying heavily on consent to make the processing of the data a lawful activity. But we are living in a world now where you can’t be without the services provided by multinationals — you just can’t survive, so you don’t really have a choice. So consent, in my opinion, often becomes meaningless because you have to consent in order to use the service otherwise they will exclude you.”
Companies need to ensure that they have robust policies, procedures and processes in place to ensure compliance, said Leeuw.
“With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, Irish firms must act fast.”